1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
75s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4560-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/4560-21-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/368-42-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-94-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-95-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2068-116-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-171-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-233-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-234-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-235-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-236-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2800-258-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1904-259-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4560-21-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/368-42-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-94-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-95-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2068-116-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-171-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-233-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-234-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-235-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-236-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2800-258-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1904-259-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3528	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4560	dControl.exe
4560	dControl.exe
4560	dControl.exe
4560	dControl.exe
4560	dControl.exe
4560	dControl.exe
368	dControl.exe
368	dControl.exe
368	dControl.exe
368	dControl.exe
368	dControl.exe
368	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
2068	dControl.exe
2068	dControl.exe
2068	dControl.exe
2068	dControl.exe
2068	dControl.exe
2068	dControl.exe
4072	msedge.exe
4072	msedge.exe
876	msedge.exe
876	msedge.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
2800	dControl.exe
2800	dControl.exe
2800	dControl.exe
2800	dControl.exe
2800	dControl.exe
2800	dControl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1904	dControl.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	4560	dControl.exe
Token: SeIncreaseQuotaPrivilege	4560	dControl.exe
Token: 0	4560	dControl.exe
Token: SeDebugPrivilege	368	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	368	dControl.exe
Token: SeIncreaseQuotaPrivilege	368	dControl.exe
Token: SeDebugPrivilege	1904	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1904	dControl.exe
Token: SeIncreaseQuotaPrivilege	1904	dControl.exe
Token: 0	1904	dControl.exe
Token: SeDebugPrivilege	1904	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1904	dControl.exe
Token: SeIncreaseQuotaPrivilege	1904	dControl.exe
Token: 0	1904	dControl.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe
1904	dControl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5784	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2068	1904	dControl.exe	99
PID 1904 wrote to memory of 2068	1904	dControl.exe	99
PID 1904 wrote to memory of 2068	1904	dControl.exe	99
PID 4088 wrote to memory of 2204	4088	msedge.exe	110
PID 4088 wrote to memory of 2204	4088	msedge.exe	110
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4500	4088	msedge.exe	112
PID 4088 wrote to memory of 4072	4088	msedge.exe	111
PID 4088 wrote to memory of 4072	4088	msedge.exe	111
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113
PID 4088 wrote to memory of 3180	4088	msedge.exe	113

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" ms-settings:windowsdefender
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3356|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2068
  - - C:\Windows\Explorer.exe
      "C:\Windows\Explorer.exe" windowsdefender:
      4⤵
      PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\dControl.exe
      "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /EXP |3356|
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8ebe9a93h97e1h436bhb254h16dc480312cf
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc674846f8,0x7ffc67484708,0x7ffc67484718
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9035810491403901458,10991053620993837172,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9035810491403901458,10991053620993837172,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9035810491403901458,10991053620993837172,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0613a8ech1bd9h4d1dhb864h8cb5ca5fbd05
1⤵
PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc674846f8,0x7ffc67484708,0x7ffc67484718
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3358942072472168245,15469066279526548718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3358942072472168245,15469066279526548718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3358942072472168245,15469066279526548718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5452

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:3484
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d144963ea8bb5afe3d9caa6a8dab051d

SHA1
547648cd1fd9bebb9921f641066b7469281adca2

SHA256
c5ddcb2c6924059f0b4f33f3aa14327080dc1d1e9b59499e1824a5e7992e321c

SHA512
398176e48a78acbedb8efbe2909303b45b3f7c737eeab927dd10871a50a0ceea6af98839eeac2ab6da4122a46830e001a03dac854000d62049f56c73b2bfc713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52e96827572234f9737ff863a8f8d09e

SHA1
5086fc03eb3d905cef2feb5d7fb2e428e71dea40

SHA256
fac8fc4b889fcaa57278a64d8c5290d74585fbace64576d35a69288ac526b089

SHA512
32757fc9cf2f7af3743529687ef8f564640c56697a7250300301ad32763aa6b68bfee42b7f8552abd340d0142265f109ab3823b12b53f231003348e62c6740eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52e96827572234f9737ff863a8f8d09e

SHA1
5086fc03eb3d905cef2feb5d7fb2e428e71dea40

SHA256
fac8fc4b889fcaa57278a64d8c5290d74585fbace64576d35a69288ac526b089

SHA512
32757fc9cf2f7af3743529687ef8f564640c56697a7250300301ad32763aa6b68bfee42b7f8552abd340d0142265f109ab3823b12b53f231003348e62c6740eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
7383cd6d7d510801a30cd5776f2fc402

SHA1
11b4828c03110ff250d65be7e4b1cb51682f7c91

SHA256
a30495578169da8e303d78dac524e97e5db1e84faae6ad3321e9cc24b57b6965

SHA512
409ca8be76078df9b431db83db89368b856fc2e42331796401eecd3e5720c1e93fa05a86b5a102397cb1ae3cfff47dd34633c00f18d2dde8a3d726e90d527921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2d821a8d4fc69464653028a75d7d7446

SHA1
e16fca3401d06275cbb815d9224129b42b57255d

SHA256
9723fa301fd65b6eb84ff0df4ed97c94f36fd56ff4b6c6e28875c19390942a76

SHA512
56639ec5e4ad10042475e3366311241e74f0bc687a03b65818c9f754193a46124e721e0067a1b07d1fb669a44cc5b52af57ebe26b146dbd370e0266f61df7f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
7adc412c988dc1e7482f66c9d744a8b7

SHA1
dd3e78739d93c2114cbc7eb9f2b82226b2d4a760

SHA256
1761dc23be5fe077020649442477bae950404f243f7895ede2fc34b57bf6f4ee

SHA512
7eef7971d97bce075ea994ec3348a463f245456047ff4623a512ff71fcc92e3da08b363c8948a47bf62763daed53bef961fa63f25372c79d165b33b2e452648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
7adc412c988dc1e7482f66c9d744a8b7

SHA1
dd3e78739d93c2114cbc7eb9f2b82226b2d4a760

SHA256
1761dc23be5fe077020649442477bae950404f243f7895ede2fc34b57bf6f4ee

SHA512
7eef7971d97bce075ea994ec3348a463f245456047ff4623a512ff71fcc92e3da08b363c8948a47bf62763daed53bef961fa63f25372c79d165b33b2e452648b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
a4925d1829dab583644a4ac139c360cd

SHA1
8e94aac3a77c4d183e7eac8900fb059c1b512a47

SHA256
2a8f97b40cdbcee5548db05de46518b886593c35fb0daa6a3ca9d03ecdc252e1

SHA512
c2c26713eeb00c71f9538219eab4d1f84b0f931079e3294770e397f3261f93aa07c8d4e127d87bbfe73204adbde6dd267f17be10eef3232cba6e694582525577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
4bdf55e2ec3e26956f9b3111aa6d5feb

SHA1
9f2b1d8bda1630ccea2acf695580b2c34482790a

SHA256
005c6d1d36d7c8ae64c06a3b36e6952059d157229868fa7e88a6affa93db129e

SHA512
2e56ceddb589f6c42c30644640077afee5e17ad2dcf8861824a8e49d0e7b9b54f2bb680a5f81d5a16a487e8b4a75ee6f09d096ed5348edb47828b8a505b5fff9

Download Submit
C:\Windows\Temp\8hiq3k6y.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\8hiq3k6y.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut6CD3.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut6CE4.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut6CE5.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/368-42-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-95-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-259-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-236-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-171-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-235-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-94-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-233-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1904-234-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2068-116-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2800-258-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4560-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4560-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download